Known issues for Splunk Enterprise Security
Splunk Enterprise Security 7.2.0 was released on September 6, 2023. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.
This release includes the following known issues.
Date filed | Issue number | Description |
---|---|---|
2024-02-06 | SOLNESS-40942 | IR page stuck in Updating after user with ess_analyst role updates notables. |
2024-01-12 | SOLNESS-40632 | Discrepancy in the notable events timeline visualization. Workaround: No workaround |
2023-12-05 | SOLNESS-40127, SOLNESS-40436 | Identity Manager with values in the "blacklist" or "blacklist_fields" fields are ignored. Workaround: Update the exclusion fields using the UI. Go to *Configure > Data Enrichment > Assets & Identity Management.* Select the relevant asset or identity lookup. Update the Denylist checkbox or update the field exclusion list. |
2023-11-30 | SOLNESS-40082 | Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher. |
2023-11-30 | SOLNESS-40087 | In Drilldown Searches, "Latest Offset" UI helper text displays "Earliest Time" instead of "Latest Time". |
2023-11-09 | SOLNESS-39519 | Saved filters in the Incident Review page results in a blank page after upgrading to version 7.2. |
2023-11-07 | SOLNESS-39507 | Updating notable event actions results in the following error: "The update failed: 'list' object has no attribute 'startswith'" |
2023-11-02 | SOLNESS-39506 | Asset and identity enrichment for "dest" assets causes alignment issue in the Incident Review page. Workaround: dest_asset is not needed in Incident Review. The fields Destination IP, Destination DNS, Destination NT Hostname, Destination MAC Address can be added separately. |
2023-11-02 | SOLNESS-39469 | Cannot customize fields in Risk Analysis DataModel |
2023-10-20 | SOLNESS-39223 | Modular input "confcheck_es_bias_language_cleanup" displays an error after upgrade even if it is disabled. Workaround:
|
2023-10-11 | SOLNESS-39022 | No results returned when searching for a notable using the Short ID. |
2023-10-02 | SOLNESS-38795 | Error using the max_mem_usage_mb macro when upgrading from ES 7.0.2.Workaround: Make a clone of the notable macro, but remove the portions having to do with the get_drilldown_searches macro: {noformat}[get_drilldown_searches]
definition = streamstats count as drilldown_event_id | eval updated_drilldown_searches=if((isnull(drilldown_searches) OR match(drilldown_searches, "\[\]")), json_array(json_object("name", drilldown_name, "search", drilldown_search, "earliest_offset", drilldown_earliest_offset, "latest_offset", drilldown_latest_offset)), drilldown_searches) | eval updated_drilldown_searches=json_array_to_mv(updated_drilldown_searches, true()) | mvexpand updated_drilldown_searches | spath input=updated_drilldown_searches path=name output=_temp_dd_name_ | spath input=updated_drilldown_searches path=search output=_temp_dd_search_ | spath input=updated_drilldown_searches path=earliest_offset output=earliest_offset | spath input=updated_drilldown_searches path=latest_offset output=latest_offset | eval drilldown_index_earliest=case(isint(earliest_offset) AND isint(use_index_time),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_indextime',1=1,null()),drilldown_index_latest=case(isint(latest_offset) AND isint(use_index_time),_time+latest_offset,latest_offset="$info_max_time$",'info_max_indextime',1=1,null()), earliest_offset=case(isint(earliest_offset),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_time',1=1,null()), latest_offset=case(isint(latest_offset),_time+latest_offset,latest_offset="$info_max_time$",'info_max_time',1=1,null()) | eval updated_drilldown_obj=json_object("name", _temp_dd_name_, "search", _temp_dd_search_, "earliest", earliest_offset, "latest", latest_offset, "index_earliest", drilldown_index_earliest, "index_latest", drilldown_index_latest) | fields - _temp_dd_search_, _temp_dd_name_, earliest_offset, latest_offset, updated_drilldown_searches | eventstats list(updated_drilldown_obj) as updated_drilldown_obj by drilldown_event_id | dedup drilldown_event_id | eval drilldown_searches=if(((isnull(drilldown_searches) AND isnull(drilldown_search)) OR match(drilldown_searches, "\[\]")), null(), updated_drilldown_obj) | fields - drilldown_event_id, updated_drilldown_obj{noformat} |
2023-09-22 | SOLNESS-38777 | Error message might be displayed when expanding notables in the Incident Review page. |
2023-09-11 | SOLNESS-38498 | The Risk Score field is not displayed as a link when you expand the rows in Incident Review and go to Additional Fields. |
2023-09-07 | SOLNESS-38261 | Unable to filter for events using "event_id=notable_id" in the Incident Review page and getting redirected to default filters. |
2023-08-30 | SOLNESS-37237 | Cloned dashboards in Splunk Enterprise Security version 7.1.1 returns a 404 error. |
2023-08-25 | SOLNESS-37062 | New drill-down searches in the Correlation Editor can show validation errors if they were saved earlier. |
2023-08-08 | SOLNESS-36864 | The Timeline visualization on the Incident Review page does not zoom in when double clicked. |
2023-08-02 | SOLNESS-36801 | Clicking the Save or Save new filters twice might cause the Incident Review page page to freeze or remain unresponsive. |
2023-07-27 | SOLNESS-36746, SOLNESS-36748 | Notable title with non-existent tokens are normalized with "empty strings" in Incident Review page. |
2023-07-27 | SOLNESS-36731 | Timeline visualization on the Incident Review page cannot activate or deactivate the timeline buttons. |
2023-07-25 | SOLNESS-36660 | Timeline visualization on the Incident Review page does not allow you to zoom in on a selection of less than 1 minute. |
2023-07-20 | SOLNESS-36590 | The script 'confcheck_es_bias_language_cleanup' is reported as missing in Splunk Enterprise Security 7.2.0. |
2023-07-18 | SOLNESS-36563 | Timeline on Incident Review page: cannot select a bar that was previously deselected Workaround: Select, then deselect, a different bar. Then select the bar that you originally wanted to select. |
2022-09-14 | SOLNESS-32647 | Saved searches created in the Content Management page with private settings are not displayed. |
Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0
Feedback submitted, thanks!